Data Breaches in 2010: Indicates Mandatory Reporting Needed

Some statistics updated in 2015

The Identity Theft Resource Center recorded 662 breaches on its 2010 ITRC Breach List. It is apparent, with few exceptions, that there is no transparency when it comes to reporting breaches. Other than breaches reported by the media and a few progressive state websites, there is little or no information available on many data breach events. It is clear that without a mandatory national reporting requirement, that many data breaches will continue to be unreported, or under-reported.

Mandatory reporting has had a positive impact on the reported number of medical data breaches. Unfortunately, the HHS database provides insufficient information for the public to know what types of records were placed at risk. The HHS breach report does not detail whether names, x-rays or Social Security Numbers (SSN) were included in the exposed data. The public has no way of knowing just how minor or serious the data exposure was for any given incident. Media has helped by reporting more details for some breach events.

In addition, state mandated reporting of all breaches – by several state Attorneys Generals – increased public reporting, but only applies if an individual in that state might be affected. In 2010, New Hampshire listed 96 breaches and Maryland reported 160. Wisconsin and Vermont have small lists of reported breach events.

Highlights of the ITRC Breach List analysis include:

Paper breaches account for nearly 20% (1/5th) of known breaches and typically go unnoticed until a consumer reports the problem to local media. There is generally no mandatory reporting requirement for paper breaches.

Malicious attacks still account for more breaches than human error, with hacking at 17.1% and insider theft at 15.4%.

38% (254) of listed breaches did not identify the manner in which the information was exposed. This indicates a clear lack of transparency and full reporting to the public.

411 breaches (62.1%) reported exposure of Social Security Numbers

170 breaches (25.7%) involved credit or debit cards

The nation needs a centralized, publicly available, data breach reporting site. It should be comprehensive enough to allow readers to find out what happened, what information was compromised, and why the breach happened. This would also allow law enforcement to better address this type of crime.

Breaches happen. Consumers, government and the business community need to stop acting like ostriches with their heads in the sand. Second, the concept of “risk of harm” is not acceptable for determining notification. This is true especially if the company involved is allowed to define “risk of harm.” Only a federal IT forensic specialist should have that authority. Breached information has been used months after the original exposure.

Are breached entities going to like the future? ITRC hopes they will embrace the change as productive and valuable. Mandatory reporting is on the horizon. It will be demanded either by consumer lobbying or legislation.